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Abstract — From an arbitrary given channel code over a dis- 
crete or Gaussian memoryless channel, we construct a wiretap 
code with the strong security. Our construction can achieve the 
wiretap capacity under mild assumptions. The key tool is the 
new privacy amplification theorem bounding the eavesdropped 
information in terms of the Gallager function. 

I. Introduction 

The information theoretical security lfl5l recently has at- 
tracted huge interest. The wiretap channel Q, lETl is one 
of its fundamental problems. On a wiretap channel, signals 
from the legitimate sender, called Alice, is delivered to both 
legitimate receiver, called Bob, and eavesdropper, called Eve. 
The goal of Alice is to deliver messages to Bob with low 
decoding probability while keeping Eve from knowing much 
about the messages. The capacity of wiretap channels has 
been determined for discrete memoryless channels JT), lETl 
and for Gaussian channels lfl4l with a weaker notion of 
security. The capacity of the above wiretap channels are also 
determined with a stronger notion of security J2], (6), ifTTl . 
The exponential decreasing rate of eavesdropped information 
is also evaluated in IfTTl . iflZ I. Shannon theoretic study of the 
wiretap channels is fairly advanced. 

On the other hand, there is still room for research in the 
actual construction of codes for the wiretap channels, which 
we call the wiretap codes. Thangaraj et al. [20] proposed 
an LDPC based construction for specific discrete memory- 
less channels, and Kline et al. Ifl3l proposed another LDPC 
based construction for Gaussian channels. Hamada [10] and 
Hayashi lfl2l proposed general linear code based construction 
for additive discrete memoryless channels. Muramatsu and 
Miyake proposed a construction based on the hashing property 
of LDPC matrices 0~8), whose decoding requires the high- 
complexity minimum entropy decoder. 

In those constructions except lfl2l . error correction and 
provision of secrecy are combined in the constructed cod- 
ing scheme. This prevents us from using well-studied error- 
correcting codes for the error correction in the wiretap codes, 
and we need to adjust existing error-correcting codes or invent 
a new wiretap code. This inconvenience may not be necessary. 
In fact, in the quantum key distribution protocols, the error 
correction and the provision of secrecy can be separately 
studied and developed, see lfl6l and references therein. 



Moreover, previous constructions for discrete memoryless 
channels do not cover all the discrete memoryless channels 
except [ 18"]. It is desirable to have a construction of wiretap 
codes that can be used for any discrete memoryless channels. 

In this paper, we show two constructions of wiretap codes 
from encoder and decoder in an ordinary channel code. We 
do not modify the channel encoder nor decoder. We attach the 
two-universal hash function to the encoder and the decoder in 
order to realize secrecy from Eve. We show that our construc- 
tion can achieve the wiretap capacity in the strong security 
sense over discrete and Gaussian memoryless channels, while 
some of previous constructions do not have proofs of the 
strong security. 

The key tools for our constructions are the new forms of 
the privacy amplification (PA) theorem J5). The original PA 
theorem [3] does not achieve the optimal rate of PA, which 
is the conditional Shannon entropy of Alice's information 
conditioned on Eve's information. Renner [19| improved it so 
that Renner's version of the theorem can achieve the optimal 
rate. However, it does not enable us to construct the wiretap 
code using an existing channel code. The reason is that we 
cannot numerically compute the necessay rate of hashing for 
a given channel code in order for Eve's information on secret 
message to become sufficiently small. So we present two 
new forms of the PA theorem. One is already given in |12|. 
However, it requires the random selection of a chennel encoder 
from the given family of channel codes. We shall provide 
another form of the PA theorem in Theorem [7] which enables 
us to construct a wiretap code from single channel encoder. 
Our new PA theorem is a nontrivial adaptation of the channel 
resolvability lemma IfTTl Lemma 2]. 

This paper is organized as follows: In Sec. HI] we fix nota- 
tions used in this paper. In Sees. Hill and HVl two constructions 
of wiretap codes are given. In Sec. [V] we present a novel 
privacy amplification theorem bounding the eavesdropped 
information in terms of the Gallager function. Section |VI] 
concludes the paper. 

II. Preliminary 

In this section we shall fix notations used in this paper and 
review necessary prior results. Let X be the finite alphabet 
of channel inputs, y the alphabet of channel outputs to 
the legitimate receiver, called Bob, and Z the alphabet of 



channel outputs to the eavesdropper, called Eve. The legitimate 
sender is called Alice. We fix the conditional probability or 
conditional probability density Qy\x of the channel to Bob 
and Qz\x of the channel to Eve. We assume channels are 
memoryless and further assume that 

• both y and Z are finite, which means that the channels 
are discrete memoryless, 

« or y = Z = R and the channels are additive Gaussian. 
Let M n be the set of messages transmitted to Bob secretly 
from Eve, ?/Aiicc,n a stochastic map from M n to X n of a 
wiretap encoder, and ?7Bob,n a deterministic map from y n 
to M n . We use the natural logarithm instead of log 2 for 
convenience. 

Definition 1: A rate R > is said to be achievable if there 
exists a sequence (??Aiice,n> ??Bob,n) of encoders and decoders 
such that 

lim Pr[M„ ^ r?Bob,n(?7AUce,n(-^n))] = 0, 

n—t-oc 

lim I(M n ; Z n ) = 0, lim inf In LM J > i?, 

n^oo n— >oo 

where M n is the uniform random variable over M n and Z n 
is the random variable for Eve's channel output from channel 
input r^Aiicc, n(M n ). The supremum of the achievable rates is 
the capacity of the wiretap channel (Qy\x> Qz\x)- 
Note that we employ the strong security criterion introduced 
by Csiszar [6] and Maurer and Wolf [17]. The necessity for 
the strong security is given in 0, ifTTl . 

Proposition 2: Q, O, ifTTIl The capacity of the wiretap 
channel (Qy\x, Qz\x) is 

max [I(T;Y)-I(T;Z)]. (1) 

Pt,Px\t 

In the next section, we shall show a construction of wiretap 
encoder and decoder from arbitrary given channel encoder and 
decoder. In the construction, we assume that we are given 
Qx\t achieving the maximum of Eq. (03. Note that when the 
wiretap channel is Gaussian, it is degraded and we can take 
T = X without losing the optimality. In the construction, we 
shall also use a family of the two-universal hash functions 0, 
which is reviewed next. 

Definition 3: Let Si and S 2 be finite sets and T a subset 
of the set of all mappings from 1S1 to S 2 - The family T is 
said to be a family of two-universal hash functions if 

Pr[F(xi) = F(x 2 )] < 1/\S 2 \, 

for all distinct x% and x 2 in Si, where F is the uniform random 
variable on T . 

III. Randomized construction of a wiretap code 

A. Encoder and decoder 

In this section we shall construct wiretap encoder and 
decoder from arbitrary given ordinary channel encoder and 
decoder. The construction in this section can achieve the 
wiretap capacity (Q~|) if the uniform distribution on T realizes 
the wiretap capacity (Q]i. The assumptions are: 



• We know Qx\t achieving the maximum of Eq. (Q~|). 
Denote by T the alphabet of T. 

• We are given a family channel encoders /iAiice.n.s indexed 
by g £ Q n mapping a message in the message set C n to a 
codeword in T™ and a channel decoder p,Boh. n,g mapping 
a received signal in y n to a message in C n . The channel 
encoder /L«Alice,n,g is a one-to-one map, and T n is equal 
to the disjoint union of [iAlice,n,g{£n) f° r 9 £ Qn- 

• We are given a family T n of two-universal hash functions 
from C n to M n , where M n is the message set of the 
wiretap code. 

Remark 4: The assumption on the channel encoders is 
usually met with linear codes. We usually use the codebook 
of a linear code whose codewords have zero syndrome. If we 
allow codebooks to have nonzero syndrome, then the family 
of codebooks with multiple syndromes constitutes the family 
of encoders {/iAlice,n, s I 9 S Q n }. 

From these assumptions, we can construct a wiretap en- 
coder, which is an extension of Hayashi's construction lfl2ll . 
Choose a hash function F n uniformly randomly from T n 
and G £ Q n . For a given message M n to the wiretap 
encoder of code length n, choose a message L n uniformly 
randomly from F^ 1 (M n ) C C n , and compute the codeword 
T n = PA\icc,n,G(L n ) from the channel encoder. Finally, com- 
pute the actually transmitted signal X n by passing T n to the 
artificial memoryless channel Q X \ T . The decoder maps a given 
received signal Y n in y n to the message F n (//Bob n(^n)) £ 

The random selection of F n and G n is a fatal problem be- 
cause it requires sharing of common randomness between Al- 
ice and Bob. However, we shall show that I(M n ; Z n \F n , G n ) 
can be upper bounded by an arbitrary positive number ti x c%, 
which means that at least 100(1— ei)% choices of /„ £ T n and 
9n £ Qn keep I(M n ; Z n \F n = /„, G n = g n ) below e 2 . Thus 
the legitimate sender and receiver can agree on the random 
choice of f n before transmission of the secret messsage M n . 

B. Evaluation of the eavesdropped information 

It should be clear that the (block) average decoding error 
probability of the constructed wiretap code is lower than or 
equal to that of the underlying code (p.A\icc,n,g, A*Aiice,n,g 

) for 

9 £ Qn regardless of random choices of F n and L n from 
M n . The remaining task is evaluation of the eavesdropped 
information I(M n , Z n ), where Z n is Eve's received signal 
on the channel input X n . To do so, we introduce Hayashi's 
version of the privacy amplification theorem [12] 

Proposition 5: Let L be the uniform random variable with 
a finite alphabet C and Z any random variable. If Z is not 
discrete random variable then the conditional probability of Z 
given L is assumed to be Gaussian. Let T be a family of two- 
universal hash functions from C to M, and F be the uniform 
random variable on T. Then 

H(F { L)\F,Z) > ln|^| - W*expW a ,P^)) 

s\L\ s 
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for < s < 1, where 



right hand side is 



LZ) 



E e PLmPz\L(z\e)) 1+s 

Pz{z) a 



If Z is conditionally Gaussian J2 z should be replaced by the 
integration and Pz, Pz\l denote probability densities. 

Remark 6: The above proposition is a combination of lfl2l 
Eq. (2)] and the argument in proof of lfl2l Theorem 2]. It 
was assumed that Z was discrete in fl2| . However, when 
the conditional probability of Z given L is Gaussian, there 
is no difficulty to extend the original result. It should be also 
noted that the uniformity assumption on L is indispensable, 
otherwise the claim is false. 

By the above proposition, for fixed G — g G Q n we have 

I{M n ;Z 9 n ,F n ) = I(M n ;Z 9 \F n ) 

= H{M n \F n )-H{M n \ZlF n ) 
< \n\M n \-H(M n \Z°,F n ) 



< 



\M n \ s xexp^(s,Pf nZ J) 



\£n\ S S 



(2) 



for < s < 1, where P? z is the joint probability 
distribution and Z 9 is Eve's received signal with a fixed 

9 e Q n 

A major problem with the last upper bound (f2]i on 
I(M n ; Z n \F n ) is that for a given channel code it is practically 
impossible to numerically compute ip(s, P[ z ). To overcome 
this difficulty we shall upper bound exp(-0(s, P[ z )) by 
exp(ip(s, Ptz)\ where Prz is a joint distribution on / x Z. 

Let T g = fJ,A\icc.n,g(Ln) that is a random variable 
on T". Note that T g is the uniform random variable on 
A t Aiice,n,g(£ n ) C T n ■ By the assumption on the given 
family of channel encoders ^Aiicc,n.g, 9 S Qn, the convex 
combination of J2 ge g PT g /\Qn\ is the uniform distribution 
Uniform(T") on T n . By the concavity of exp(ip(s, •)) on 
the channel input probability distributior{J [12, Lemma 1], we 
have 

-J- Y, eM^,PLzJ) <exp^( S ,g^| T Uniform(r n )) 
iynl 9 ee„ 

— exp(mp(s, <52|TUniform(T)). 

Observe that computation of the last mathematical expression 
is easy for almost all channels. 
What we have proved is 



\M n \ s x exp(n-0(s, <5 Z | T Uniform(T))) 
\C n \ s s 



I(M n ;Z n \F n ,G n ) < 

(3) 

Observe that the minimization of the RHS of Eq. ([3j over s is 
also computable by the bisection method [4, Algorithm 4.1] 
because it is convex with respect to s. The logarithm of the 

'The concavity is proved under that assumption that Z is finite. However, 
if the conditional probability Qz\x i- s Gaussian, the concavity proof needs 
no change except notational ones. 



a (in \M n \ In \C n \ + ^Mz\tTM&^(T)) \ b s 

(4) 

By I'Hopital's theorem, we have 

hm = /(Umform(T),Qz|T), 

where the right hand side is the mutual information between 
the channel output and the uniform channel input to the 
imaginary channel Qz\t- Thus, by choosing s such that 

VKs,Q Z | T Unifor m( T)) < j( Uniform ( 7 ^ > q z|t ) + § , we can see 

that if In \M n \ < In \C n - n(J(Uniform(T) ! Qz\t) + 5) for 
some S > then Eq. (0]i converges to — oo as n — > oo, 
which means the eavesdropper Eve has little information on 
the secret message. This means that if In \ £ n \/n converges to 
/(Umform(T), Qz\t) an d the wiretap capacity ([T]i is achieved 
with uniform channel input then this construction also achieves 
the wiretap capacity. 

Drawbacks in the proposed construction is the random 
selection of channel encoders. This requires that almost all 
pairs of encoder and decoder have to provide low decoding 
error probability, which is not verified with most of channel 
codes. Moreover, in some case, for example the channel 
encoder using the Trellis shaper HI, it is difficult to prepare 
a family of encoders that satisfies the requirement. Thus, in 
the next section, we show a deterministic construction of a 
wiretap code from a given channel code. 

IV. Deterministic construction of a wiretap code 

In this section, we assume that the index set Q n has only 
one element, and we are given a pair of an encoder ^tAiico,n 
a decoder /iBob,n- We also assume that the given family T n 
of hash functions satisfies the condition that for all / e T n 
and m e M. n we have \f~ 1 (m)\ = \C n \/\M n \ in order 
to apply Theorem [7] in Sec. [V] This assumption on T n is 
satisfied, for example when Ai n = F g and C n = F£, using 
the set of all the surjective linear maps from C n to M. n . 
Moreover, the linear mappings defined by the concatenation of 
the identity matrix and the Toeplitz matrix considered in |[T2l 
Appendix] also satisfy the assumption and is more efficiently 
implemented in practice. 

The construction of the wiretap code is the same as the 
previous section except that there is no random selection of 
encoders. The construction in this section can achieve the 
wiretap capacity (fl~|i if the distribution Py on T realizing (Q~|l 
also maximizes the mutual information I{Pt,Qz\t) to the 
eavesdropper. In order to evaluate the average of the mutual 
information, we develop a new privacy amplification theorem 
(Theorem |7]i based on Gallager function by modifying ifTTl 
Lemma 2] in the next section. Applying this result, one can 
show that 



I(M n ;Z n \F n ) < 



\M\ s eM^s,Q n z , T ,P T J) 
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for < s < 1/2, where 
4>(s,Q n zlT ,P Tn ) 



( E P TAt){Q n Z \T{At)) 1/{1 - 



dz. 



ueT" 



If Z is finite, the integration should be replaced by summation 
and Qz\t should be interpreted as the conditional probability. 

Again, for a given channel encoder ^tAiico,n, it is also 
practically impossible to compute cf>(s,Q z ^ T , Pt„)- We shall 
show that a method to upper bound it. We have 

expO(s,Q^| T ,P T J) < rnaxexp(<?(>(s, Q z \ T ,P n )), 

where P n is a probability distribution on T n . Observe that 
4> is essentially same as the function Eq in [1|, [9|. Thus if 
Pi.s maximizes exp(^>(s, Qz\Ti Pi,s))> then its n-fold i.i.d. 
extension P{ l s also maximizes maxp n exp(</>(s, Q z \t-> P n )) 
JT), and we have 

/(M n ;^|F n )< l ^ l ^ P( ^^^ )) . (5) 

\L\s 

Observe that for fixed s and Qz\t, exp(</>(s, Qz\t, Pi.s)) is 
a concave function on a convex set and Pi s can easily be 
computed |4|. Observe also that for fixed Qz\t, the function 
maxpj s [RHS of Eq. ©J is a convex function of s, thus 
min s maxpj S [RHS of Eq. ©J can also be easily computed 
by the bisection method [4, Algorithm 4.1]. 
The logarithm of the right hand side is 



s lnl^l-lnlA 



n(j)(s,Qz\T,Pi,s) 



In s. 



Since <f> is essentially Eq in |9), lim^o 4>(s, Qz\t, P)/ s = 
I{P,Qz\t), where P is a distribution on T. Let P max be a 
distribution on T maximizing I(P,Qz\t)- Therefore, by the 
almost same argument as Section HU if ln|A^ n | < ln|£ n | — 
n(I(P ma ,x, Q z \t) + S) for all n, then I(M n ; Z n \F n ) goes to 
zero as n — > oo. If P m &x also maximizes the wiretap capacity 
CO and the given channel code achieves the information rate 
PyPmax, Qy\t) then the construction in this section achieves 
the wiretap capacity. 

V. New privacy amplification theorem in terms of 

THE GALLAGER FUNCTION 

We shall show the following new privacy amplification the- 
orem that is indispensable with the deterministic construction 
of wiretap codes in Sec. [IV] 

Theorem 7: Assume that the given family of two-universal 
hash function F from C to M. satisfies that 

|F-V)l = ^j, Vm, 

a fixed conditional probability Qz\l is gi ven > an d the random 
variable L obeys the uniform distribution on C. Then, 



I(F(L);Z\F)=E F I(F(L);Z) < 



\M\ s eMHs,Qz\ L )) 



\£\ s s 



(6) 



for < s < 1/2, where expresses the expectation 
concerning the random variable F, 

4>{s,Qz\l)= In / (E L (Q z \ L (z\L)) 1/{1 - s) y~ S dz 

J 2 

and dz is an arbitrary measure. 

Proof. Observe first that the joint probability Pfl = Pf x 
Pl and the conditional probability Qz\l uniquely determines 
Qz\F(L)- We can check that the function s h-> <fi(s, Q z \f(l)) 
satisfies the following properties: 



d(j){s,Q Z \F(L)) 



ds 



s=0 



d 2 <t>{s,Qz\F{L)) 

ds 2 

= I(F(L);Z). 



> 



Hence, its convexity guarantees the inequality 

sE F I(F(L); Z) < Fjf4>(s,Q z \f{l)), which implies the 
inequality 



E F I(F(L);Z) < E F - 



(s, Qz\F(L)) 



(7) 



for < s < i. In the following, we denote the uniform 
distriburtion on C by Pl 

Let l+u= then 1 > u > and s = -r+-. Since 
x h- > x u is concave, 

M J2 Qz\ L (z\n] u 

l':F(l')=F{l),l'^l 

<[ef Qz\ L (z\nv 

l':F(l')=F{l),l'=£t 



\M\ 



\M[ 



(8) 

Using (HJ and the relation (x + y) u < x u + y u for two positive 
real numbers x, y, we obtain 



^/(E r^^i^)(-M 1+llXTTT 

J z m£M 1 1 



dz 



* IA Ef E W] Qz\F(LMm) 1+u Y +U dz 



T v Ef E TT^Qz\F(L)(z\rri)Q z \F(L)(z\m 

* m£M 1 1 t£C:F(t)=m 1 



(9) 



(10) 



dz 



^tQz\l{z\Z) 



t£C:F(l)=m 

: / z ( EF Ee Qz i L(z|£)( izf r [ gz i i(z|£) 



tec 

i'eC:F(l')=F(l),l'^l 



dz 



4 



^ L(vF^jfiQz\Lm(\^) u [Qz\Uz\er 



|£| > 

Qz\lW)) u 

? 



( £ 



dz (11) 



dz 



< 



J z {{^T^lQz\l{z\L) 



l+u 



+ O" Qz(z)( M r0z( " r 



(12) 



= £ ((^) tl E L Q Z | i (z|L) 1+ " + Qz(z) 1+ ") liu dz 



< 



(13) 



( lzf )T ^( ELQz|L(z|L)1+u 
=1 + ( lzf )T * r X( EiQz|i(z|i)1 



Qz(z)dz 



= 1 + flM^p^'OSli,) 

1 |£| ' 

where the inequalities can be shown in the following way. 
Ineq. ([T2l follows from ([8]). Ineq. ( fTTT i and ( fT3l follow from 
inequality (x + y) u < x u + y u for < u < 1 and x, y > 0. 
Ineq. ( TTOb follows from the concavity of x h-> x" for < u < 
1. Ineq. (O follows from the convexity of i H e 1 . Since the 
above inequality implies 

Ef0(s, Qz\f(l)) < Ml + (^)"e* ( ' 1<3 *i £) ] 
" l |£| j 

using (0 we obtain ((6]). 

VI. Conclusion 

In this paper, starting from an arbitrary given channel code, 
we showed two constructions of wiretap codes. The first 
one involves the randomized selection of channel encoders. 
The second one is deterministic. These two construction can 
achieve the wiretap capacity under different conditions. Our 
constructions provide the strong security. 

Ideally, the addition of hash functions to an arbitrary given 
channel code should always achieve the wiretap capacity 
whenever the given channel code achieves the capacity of the 
composition of the artificially added channel Qx\t P ms the 
physical channel Qz\x- The proposed constructions fall short 
of this ideal. The improved construction should be explored. 
The numerical computation of an optimal Qx\t from given 
Qy\x an d Qz\x is a l so an open problem. 
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